<meta charset="utf-8">
(#) Libraries with Privacy or Security Risks

!!! WARNING: Libraries with Privacy or Security Risks
   This is a warning.

Id
:   `RiskyLibrary`
Summary
:   Libraries with Privacy or Security Risks
Severity
:   Warning
Category
:   Security
Platform
:   Android
Vendor
:   Android Open Source Project
Feedback
:   https://issuetracker.google.com/issues/new?component=192708
Since
:   3.2.0 (September 2018)
Affects
:   Gradle build files and TOML files
Editing
:   This check runs on the fly in the IDE editor
See
:   https://developer.android.com/distribute/sdk-index
See
:   https://goo.gle/RiskyLibrary
Implementation
:   [Source Code](https://cs.android.com/android-studio/platform/tools/base/+/mirror-goog-studio-main:lint/libs/lint-checks/src/main/java/com/android/tools/lint/checks/GradleDetector.kt)
Tests
:   [Source Code](https://cs.android.com/android-studio/platform/tools/base/+/mirror-goog-studio-main:lint/libs/lint-tests/src/test/java/com/android/tools/lint/checks/GradleDetectorTest.kt)

Your app is using a version of a library that has been identified by the
library developer as a potential source of privacy and/or security
risks. This may be a violation of Google Play policies (see
https://play.google.com/about/monetization-ads/ads/) and/or affect your
app’s visibility on the Play Store.

When available, the individual error messages from lint will include
details about the reasons for this advisory.

Please try updating your app with an updated version of this library, or
remove it from your app.

!!! Tip
   This lint check has an associated quickfix available in the IDE.

(##) Example

Here is an example of lint warnings produced by this check:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~text
build.gradle:7:Error: [Prevents app release in Google Play Console]
log4j:log4j version 1.2.13 has been reported as problematic by its
author and will block publishing of your app to Play Console
[RiskyLibrary]
    compile 'log4j:log4j:1.2.13' // Critical BLOCKING
            --------------------
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Here is the source file referenced above:

`build.gradle`:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~groovy linenumbers
dependencies {
    compile 'log4j:log4j:1.2.18' // OK, latest
    compile 'log4j:log4j:1.2.17' // OK
    compile 'log4j:log4j:1.2.16' // Critical NON_BLOCKING
    compile 'log4j:log4j:1.2.15' // Outdated NON_BLOCKING
    compile 'log4j:log4j:1.2.14' // Non compliant
    compile 'log4j:log4j:1.2.13' // Critical BLOCKING
    compile 'log4j:log4j:1.2.12' // OUTDATED BLOCKING
    compile 'log4j:log4j:1.2.11' // Ok (not in Index)
    compile 'com.example.ads.third.party:example:8.0.0' // OK
    compile 'com.example.ads.third.party:example:7.2.2' // OK
    compile 'com.example.ads.third.party:example:7.2.1' // OK
    compile 'com.example.ads.third.party:example:7.2.0' // Outdated + Critical + Policy (multiple issues), no severity
    compile 'com.example.ads.third.party:example:7.1.0' // Policy (Ads), non-blocking
    compile 'com.example.ads.third.party:example:7.1.1' // Policy (Device and Network Abuse), blocking
    compile 'com.example.ads.third.party:example:7.1.2' // Policy (Deceptive Behavior), no severity
    compile 'com.example.ads.third.party:example:7.1.3' // Policy (User Data), non-blocking
    compile 'com.example.ads.third.party:example:7.1.4' // Policy (Permissions), blocking
    compile 'com.example.ads.third.party:example:7.1.5' // Policy (Mobile Unwanted Software), no-severity
    compile 'com.example.ads.third.party:example:7.1.6' // Policy (Malware), non-blocking
    compile 'com.example.ads.third.party:example:7.1.7' // Policy (multiple types), non-blocking
    compile 'com.example.ads.third.party:example:7.1.8' // Policy (multiple types), blocking
    compile 'com.example.ads.third.party:example:7.1.9' // Policy (multiple types), no severity
    compile 'com.example.ads.third.party:example:7.1.10' // Vulnerability (UNSAFE_HOSTNAME_VERIFIER, non-blocking)
    compile 'com.example.ads.third.party:example:7.1.11' // Vulnerability multiple (UNSAFE_SSL_ERROR_HANDLER, ZIP_PATH_TRAVERSAL, UNSAFE_WEBVIEW_OAUTH, blocking)
    compile 'com.example.ads.third.party:example:7.1.12' // Vulnerability multiple (non-blocking)
    compile 'com.example.issues:issues-on-latest:1.8.0' // Outdated blocking
    compile 'com.example.issues:latest-is-preview:1.0.0' // Outdated non-blocking
    compile 'com.example.issues:deprecated:2.0.0' // Deprecated

    compile 'log4j:log4j:latest.release' // OK
    compile 'log4j:log4j' // OK
    compile 'log4j:log4j:_' // OK

    compile 'com.another.example:example' // Ok (not in Index)
}
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

You can also visit the
[source code](https://cs.android.com/android-studio/platform/tools/base/+/mirror-goog-studio-main:lint/libs/lint-tests/src/test/java/com/android/tools/lint/checks/GradleDetectorTest.kt)
for the unit tests for this check to see additional scenarios.

The above example was automatically extracted from the first unit test
found for this lint check, `GradleDetector.testSdkIndexLibrary`.
To report a problem with this extracted sample, visit
https://issuetracker.google.com/issues/new?component=192708.

(##) Suppressing

You can suppress false positives using one of the following mechanisms:

* Using a suppression comment like this on the line above:

  ```kt
  //noinspection RiskyLibrary
  problematicStatement()
  ```

* Using a special `lint.xml` file in the source tree which turns off
  the check in that folder and any sub folder. A simple file might look
  like this:
  ```xml
  &lt;?xml version="1.0" encoding="UTF-8"?&gt;
  &lt;lint&gt;
      &lt;issue id="RiskyLibrary" severity="ignore" /&gt;
  &lt;/lint&gt;
  ```
  Instead of `ignore` you can also change the severity here, for
  example from `error` to `warning`. You can find additional
  documentation on how to filter issues by path, regular expression and
  so on
  [here](https://googlesamples.github.io/android-custom-lint-rules/usage/lintxml.md.html).

* In Gradle projects, using the DSL syntax to configure lint. For
  example, you can use something like
  ```gradle
  lintOptions {
      disable 'RiskyLibrary'
  }
  ```
  In Android projects this should be nested inside an `android { }`
  block.

* For manual invocations of `lint`, using the `--ignore` flag:
  ```
  $ lint --ignore RiskyLibrary ...`
  ```

* Last, but not least, using baselines, as discussed
  [here](https://googlesamples.github.io/android-custom-lint-rules/usage/baselines.md.html).

<!-- Markdeep: --><style class="fallback">body{visibility:hidden;white-space:pre;font-family:monospace}</style><script src="markdeep.min.js" charset="utf-8"></script><script src="https://morgan3d.github.io/markdeep/latest/markdeep.min.js" charset="utf-8"></script><script>window.alreadyProcessedMarkdeep||(document.body.style.visibility="visible")</script>